package cn.wgx.common.security.client.config;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.oauth2.config.annotation.web.configuration.EnableResourceServer;
import org.springframework.security.oauth2.config.annotation.web.configuration.ResourceServerConfigurerAdapter;
import org.springframework.security.oauth2.config.annotation.web.configurers.ResourceServerSecurityConfigurer;
import org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler;
import org.springframework.security.oauth2.provider.expression.OAuth2WebSecurityExpressionHandler;
import org.springframework.security.oauth2.provider.token.TokenStore;
import org.springframework.security.web.AuthenticationEntryPoint;

@Configuration
@EnableResourceServer
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true, jsr250Enabled = true)
public class ResourceOauth2ServerConfig extends ResourceServerConfigurerAdapter {


    @Autowired
    private TokenStore tokenStore;
    @Autowired
    private AuthenticationEntryPoint authenticationEntryPoint;
    @Autowired
    private OAuth2WebSecurityExpressionHandler expressionHandler;
    @Autowired
    private OAuth2AccessDeniedHandler oAuth2AccessDeniedHandler;
    @Autowired
    private AnonUrlProperties anonUrlProperties;

//    public void configure(WebSecurity web) throws Exception {
//        web.ignoring().antMatchers(anonUrlProperties.getAnonUrls());
//    }

    @Override
    public void configure(ResourceServerSecurityConfigurer resources)  {
        if (tokenStore != null) {
            resources.tokenStore(tokenStore);
        }
        //配置资源ID
//        resources.resourceId("");
        // 自定义异常处理端口
        resources.authenticationEntryPoint(authenticationEntryPoint)
                .expressionHandler(expressionHandler)
                //拒绝请求返回信息处理
                .accessDeniedHandler(oAuth2AccessDeniedHandler);

    }

    @Override
    public void configure(HttpSecurity http) throws Exception {
        http.csrf().disable();
        http.headers().frameOptions().disable();
        http
                .exceptionHandling()
            .and()
            .sessionManagement()
            .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
            .and()
            .authorizeRequests()
            //全部放行
            .antMatchers(anonUrlProperties.getAnonUrls()).permitAll()
            .anyRequest().authenticated()
        //todo 对url进行权限认证
//        .withObjectPostProcessor(new ObjectPostProcessor<FilterSecurityInterceptor>(){
//            @Override
//            public <O extends FilterSecurityInterceptor> O postProcess(O object) {
//                return object;
//            }
//        })
        ;
        //添加过滤器,对URL进行权限认证, 根据类 ResourceServerSecurityConfigurer 224行代码判断插入位置
//        http.addFilterAfter(new Oauth2ClientPermissionFilter(), FilterSecurityInterceptor.class);


//        authorizedUrl.access("");
        //认证之后才能访问的接口与对应权限
            // 以下为配置所需保护的资源路径及权限，需要与认证服务器配置的授权部分对应
//            .antMatchers("/api/**").hasAuthority("System")

    }


}
